A few days ago I received several mails alerting me about

Hello
A few days ago I received several mails alerting me about an script sending mail. Actually from the Google Maps plugin.

The script has sent nearly 30,000 emails.
--
29553 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages
--

--
-rw-r--r-- 1 australi australi 19195 Jan 21 2014 user64.php

The notifications are like these:

Time: Tue Dec 30 20:33:56 2014 -0500
Path: '/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages'
Count: 101 emails sent

Sample of the first 10 emails:

2014-12-30 20:24:25 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages 3 args: /usr/sbin/sendmail -t -i
2014-12-30 20:24:25 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages 3 args: /usr/sbin/sendmail -t -i
2014-12-30 20:24:25 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages 3 args: /usr/sbin/sendmail -t -i
2014-12-30 20:24:25 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages 3 args: /usr/sbin/sendmail -t -i
2014-12-30 20:24:25 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages 3 args: /usr/sbin/sendmail -t -i
2014-12-30 20:24:25 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages 3 args: /usr/sbin/sendmail -t -i
2014-12-30 20:24:25 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages 3 args: /usr/sbin/sendmail -t -i
2014-12-30 20:24:25 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages 3 args: /usr/sbin/sendmail -t -i
2014-12-30 20:26:54 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages 3 args: /usr/sbin/sendmail -t -i
2014-12-30 20:26:54 cwd=/home/australi/public_html/wp-content/plugins/wpmu_dev_maps_plugin/languages 3 args: /usr/sbin/sendmail -t -i

  • Tyler Postle

    Hey Luis N,

    Hope you're doing well today!

    There should only be language files inside that folder. Just ad .po and .mo file. Do you have a script inside the google maps language folder? If you do then you can delete it.

    It sounds like a potentially malicious file found it's way into your installation.

    Look forward to hearing back on this Luis!

    All the best,
    Tyler

    PS. Your Google maps plugin is a few versions behind. Can you update to the latest version which is 2.9.0.6.

    That should overwrite any non-Google Maps plugin files and ensure the folder is back to it's default state.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.